MiCrobul A few days after the honeypot got cracked something strange happened. It got cracked again :) Apparently our dear MASTER-0N didn't close the hole. Although he echoed "anonymous" into /etc/users and /etc/ftpusers. After pulling the box down I found /etc/users isn't there and there's no "anonymous" in /etc/ftpusers. I really have no clue why though.. Update: I now know why: apparently MASTER-0N was using a script for installing his rootkit which had commentsigns '#' in front of the echo's, didn't notice them in the distorted telnet logs snort made at that time. Anyway.. the hole wasn't closed. So it wouldn't take long before somebody would stop by and try again. It happened on June 22th, at 03:42. After gaining a root-shell the user 'tcp' was created. /usr/sbin/adduser tcp After that 'mrk.tgz' was downloaded from microbul.home.ro, extracted and installed using './install'. Get it here. This file contains altered 'ps', 'top', 'ifconfig' and 'netstat' binaries, a sniffer, a cgi-binary, an install script, a log-cleaning script and a backdoor sshd. Take a look at http://project.honeynet.org/scans/scan13/som/som18.txt or som17.txt for more information about the rootkit. The installed sshd is started and MiCrobul logs in at 03:44. First MiCrobul checks if there's not somebody other than him logged in. [root@hostname mtr]# w No problem. Then he checks for listening daemons. Something weird shows up, a daemon listening on port 50001. The listener on port 2128 is his own sshd. Port 98 is linuxconf. [root@hostname mtr]# netstat
-an | grep LIST Now let's check which process is using that socket and kill it. [root@hostname mtr]# /sbin/fuser
-n tcp 50001 Every person needs his social contacts, so why not download psy? Unlike MASTER-0N MiCrobul doesn't waste his private webspace for a copy of psybnc. Instead he uses efnet.org's copy. [root@hostname mtr]# lynx http://www.efnet.org/software/bouncers/psybnc/psyBNC2.2.2.tar.gz After untarring, building and configuring (he uses pico as editor) the pybnc binary is started. A check is done to see if it runs: [root@hostname psybnc]# netstat
-an | grep LIST Lo and behold, a process listening on port 2129, it's psy. For your pleasure here's the commands MiCrobul ran this session. w At 04.00 MiCrobul comes in again, just to check if there's anyone logged in. Bash started on Sat Jun 22
04:00:33 2002 That same afternoon, at 14:28 MiCrobul logs in again. Let's see what he did. [root@hostname mtr]# w Ok.. first he checks if there is or has been somebody online. Since I let the box alone nothing shows up (I deleted the wtmp file before putting the box online) and MiCrobul continues. It seems /usr/tcp/ftp is his default storage directory for evil tools. Because the directory is nonexistant, he creates it and ftp's in on his webspace at home.ro. Let's see what's stored there. drwx------ 2 free web 22 Apr
8 2001 _private Besides some MS Frontpage (TM) (R) (C) (etc) crap there's some gzipped tars too, mrk.tgz probably being MiCrobul RootKit, whereas mbk.tgz is a backup. x4 and x6 are exploits for the OpenSSH deattack.c bug. I've seen x2, x3, x4 and x6 in the wild now, what about x1 and x5? (Update: x6 is backdoored and sends the system information of the system it runs on to the creator via e-mail.) MiCrobul grabs the ftp.tgz file, which you can get here. The file contains: [root@hostname tcp]# tar zxvf
ftp.tgz These are scanning and exploiting tools for wu-ftpd, by which my Honeypot got found and cracked too. MiCrobul begins scanning some networks: [root@hostname ftp]# ./scan
209 21 239 41 1 What MiCrobu didn't know was that although he was scanning with about 30KByte/s, outgoing TCP SYN packets were limited to 2KByte per second, and because I noticed he was scanning even to a few bytes/sec. His scan couldn't get far. While tcpdumping behind the limiter I found that there were only a few packets per C-class going to the internet, nice :) At June 25th MiCrobul logged in again to scan a few more networks. The first few scans I didn't notice, since I was having lunch, but I monitored him during the rest of the scans. I fiddled a bit with the limiter to limit all outgoing TCP SYN's on port 21 or to let a few byte/s through to avoid raising suspicioun. Problem was, he could find out he was being limited. That and the fact that he wasn't doing anything interesting I hadn't seen/logged made me firewall the box, effectively disconnecting it from the internet.
Well.. this is it. My first honeypot. To me it was a
relative success. Last time I was involved with such a project I was able
to track down a stacheldraht ddos-network and a botnet. By mailing admins
I was able to weaken the ddos-network and disconnect half the botnet.
This time both the kiddo's didn't seem to have a ddos-net nor a botnet.
MASTER-ON only installed a IRC-bouncer, MiCrobul only used my honeypot
as a scanning platform. Perhaps next time better, although I could always
trojanize MiCrobul's rootkit to have my fun >;)
|